Securing Tomcat 8 – Part 2

Vulnerability: Clickjacking

How to check: 

Create a page that call the site in (should fail to display in the frame)

<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking if you can see it below!</p>
http://www.target.site
</body>
</html>

Remediation: 

Create in $TOMCAT_BASE/lib/org/owasp/filters/ClickjackFilter.class

public class ClickjackFilter implements Filter
{

private String mode = “DENY”;

/**
* Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
* decide to implement) not to display this content in a frame. For details, please
* refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse)response;
//If you have Tomcat 5 or 6, there is a known bug using this code. You must have the doFilter first:
chain.doFilter(request, response);
res.addHeader(“X-FRAME-OPTIONS”, mode );
//Otherwise use this:
//res.addHeader(“X-FRAME-OPTIONS”, mode );
//chain.doFilter(request, response);

}

public void destroy() {
}

public void init(FilterConfig filterConfig) {
String configMode = filterConfig.getInitParameter(“mode”);
if ( configMode != null ) {
mode = configMode;
}
}
}

Add to web.xml

<filter>
<filter-name>ClickjackFilterDeny</filter-name>
<filter-class>org.owasp.filters.ClickjackFilter</filter-class>
<init-param>
<param-name>mode</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>ClickjackFilterDeny</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Verification: In addition to <iframe> check above, can also verify that X-FRAME-OPTIONS cookie is present.

[root@localhost webapps]# telnet localhost 8180
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
GET http://localhost:8180/index.jsp HTTP/1.1

HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=49A0FE6E28D5C04362CC830ECB4732F7; Path=/; HttpOnly
X-FRAME-OPTIONS: DENY
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 6
Date: Thu, 10 Nov 2016 07:02:16 GMT
Server: MyServer

Hello

^C
Connection closed by foreign host.

References:

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

Notes:

If using supported version of Tomcat, only need to set filter in web.xml without requiring to do all above

<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>

If the tomcat in use does not support it, will see below exception

09-Nov-2016 11:44:00.655 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.filterStart Exception starting filter httpHeaderSecurity
java.lang.ClassNotFoundException: org.apache.catalina.filters.HttpHeaderSecurityFilter
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s